The recovery process begins with installing updates, but attackers can exploit vulnerabilities to steal authentication credentials. Researchers from Eye Security found systems compromised during attacks on July 18 and 19, which used a backdoor named ToolShell. This webshell allowed attackers to access sensitive SharePoint Server areas and extract vital tokens. The backdoor differs from typical ones by directly invoking internal .NET methods to utilize the server's MachineKey configuration. A previously fixed SharePoint vulnerability exploited during this attack enabled remote code execution through serialization behavior.
The attackers used a webshell-based backdoor called ToolShell, gaining access to sensitive parts of a SharePoint Server and extracting tokens for code execution.
This backdoor invoked internal .NET methods to read SharePoint's MachineKey configuration, which is crucial for generating valid __VIEWSTATE payloads.
A SharePoint vulnerability, fixed in 2021, allowed abuse in logic parsing to inject objects, leading to remote code execution opportunities.
The attackers exploited the way SharePoint processes data structures and object states, leveraging serialization to inject harmful objects.
Collection
[
|
...
]